When and How to Report Two-Factor Authentication (2FA) Fraudulent Attempts

Two-Factor Authentication (2FA) is a two-step process to log in to Penn State systems and services, and all un-requested 2FA authentication attempts should be denied in order to protect your account; however, only those that are truly an attempt by someone other than yourself to access a Penn State Access Account should be reported as fraud.

What Is a Fraudulent Attempt?

A 2FA fraudulent attempt is an unauthorized attempt to access a Penn State Access Account by someone other than the account holder. This is a serious security risk that needs to be taken very seriously.

Report all fraudulent attempts; however, it’s important to know the difference between an actual fraudulent attempt and something that isn’t fraudulent but might appear to be.

Example of Fraudulent Attempt

If you receive a 2FA authentication request that you did not initiate (for example, you’re in a restaurant and receive a push notification that you didn’t request at a time when you are not attempting to log in to your Access Account), then it might be an indication that someone else is trying to gain access to your account.

Deny the authentication attempt in order to protect your account, and report it as fraud if you are certain that the attempt is a fraudulent attempt (see “How to Report a 2FA Fraudulent Attempt” below).

Reporting a fraudulent attempt on your account will result in the locking of both your Access Account and Duo Security account (your 2FA account with Duo Security, Penn State’s 2FA partner). You will need to contact the IT Service Desk in order to have the accounts unlocked and be able to resume normal activities.

Examples of what Might Not Be a Fraudulent Attempt

You should deny any request for authentication that you do not believe is a request that you initiated, but the following are examples of login attempts that might appear to be fraud at first glance but are not attempts by someone else to access your account. These should not be reported as fraud.

Shared deviceAn authentication attempt to a device that’s shared by multiple users, such as an office landline or a cell phone that’s used as an emergency back-up for a friend or family member. Always deny the unexpected authentication attempt in order to protect your account, but check whether there might have been a legitimate reason for having received the authentication attempt before reporting it as a fraudulent attempt.

Automatic login attempts
Some 2FA-protected systems or services, such as a department VPN, are set to automatically log in, so a computer that was left on and is attempting to log in to a 2FA-protected service might send a push notification or make a phone call when it has not been initiated by the account holder. Always deny the unexpected authentication attempt in order to protect your account, but check whether there might have been a legitimate reason for having received the authentication attempt before reporting it as a fraudulent attempt.

Misinterpreting an IP address
The IP address that appears on a push notification is not necessarily indicative of where the login attempt came from. For instance, push notifications initiated in State College might list Altoona as the location of the IP address. This does not mean that the request for authentication is coming from someone in Altoona. Do not report fraud for an authentication attempt that you initiated because the IP address shows a different location than you expected.

Testing the Duo Mobile App
Do not test the fraud functionality of the Duo Mobile app. It works and will result in a fraudulent report. Your Access Account and your Duo Security account will be locked.

How to Report a 2FA Fraudulent Attempt

If the fraudulent attempt is a push notification to a smartphone, deny the push notification and then confirm that it’s a fraudulent attempt to report it as a fraudulent attempt. Again, reporting fraud will lock both your Access Account and your 2FA account, so be certain that this is a fraudulent attempt to access your account. You will need to contact the IT Service Desk for assistance with unlocking the accounts.

If the fraudulent attempt is coming from a device that’s not a smartphone, then you will need to contact the IT Service Desk to report fraud and to receive assistance with unlocking the accounts.